CPE Developer Day - notes

Thank you to everyone that attended CPE Developer Days on April 30th.
The event was a great success and the discussion we had will really
help us move CPE forward in a direction that benefits the community.
Attached are the detailed notes taken from the conference.

We will try to get these notes up on the web site shortly.

Going forward, MITRE plans to work through the action items and help
further the discussions that still need to be completed.

Thanks again!
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Two questions (both arising out of reconciliation of CPE with WSUS 3.0 data)

1)I see some titles that are 'odd', i.e.
          "Microsoft exchange_srv 2000" but SP1 is "Microsoft Exchange Server 2000 Service Pack 1"
2) Some missing products (i.e. they are deemed to exist with WSUS )
* Exchange Server 2007 Anti-Spam
* Data Protection Manager 2006
* Firewall Client for ISA Server
* Microsoft ISA Server 2006
* Photo Gallery
* Silverlight
* Windows XP 64 bits  --- Server 2003 x64 is there....
* Windows Server 2008
* Windows Server 2003 Small Business Server

Also why should USA Server 2004 be an cpe:/a:   and not a cpe:/o ????

Would anyone have a mapping of the WSUS Categories to CPEs? There seem to be a lot of gaps.....



Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

PS: Microsoft WSUS does not appear to be listed either... and it's up to 3.0SP1


Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.


-----Original Message-----
From: Ken Lassesen [mailto:[hidden email]]
Sent: Tuesday, May 20, 2008 3:42 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Missing CPEs

Two questions (both arising out of reconciliation of CPE with WSUS 3.0 data)

1)I see some titles that are 'odd', i.e.
          "Microsoft exchange_srv 2000" but SP1 is "Microsoft Exchange Server 2000 Service Pack 1"
2) Some missing products (i.e. they are deemed to exist with WSUS )
* Exchange Server 2007 Anti-Spam
* Data Protection Manager 2006
* Firewall Client for ISA Server
* Microsoft ISA Server 2006
* Photo Gallery
* Silverlight
* Windows XP 64 bits  --- Server 2003 x64 is there....
* Windows Server 2008
* Windows Server 2003 Small Business Server

Also why should USA Server 2004 be an cpe:/a:   and not a cpe:/o ????

Would anyone have a mapping of the WSUS Categories to CPEs? There seem to be a lot of gaps.....



Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

A google search for

        microsoft "USA Server 2004"

shows that it appears to be the Polish name for ISA Server 2004.

> re: USA Server - I am not sure about this but can do research on this.

I'm hoping to get a CPE update submitted based on the names used in WSUS 3.0 (likely as close to MSFT official as we are likely to get) within the next week....

Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

-----Original Message-----
From: Gary Newman [mailto:[hidden email]]
Sent: Thursday, May 22, 2008 7:53 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

A google search for

        microsoft "USA Server 2004"

shows that it appears to be the Polish name for ISA Server 2004.

> re: USA Server - I am not sure about this but can do research on this.

On windows there are two ways of getting titles for multiply products:
* WSUS 3.0 Server Entry
* WMI name

We currently support language in <title>, I would like to propose adding

<title source="wsus">
<title source="wmi">

(and others as they are discovered). This will apply only to mechanical sources that:
* identify MULTIPLE PRODUCTS

In some cases, these may need language...

Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

Attached is my extract from WSUS 3.0 and my tentative assignments of cpes (using existing wherever they match)...

I do have some concerns because I see some items marked as "a" application where as the application is embedded in an OS, that is, you cannot install it on top of an existing OS and frequently the OS has been customized for the application.

My feeling is that if the product cannot be installed (out of the box) on top of an existing OS then it's an OS....  comments.

Feel free to counter propose my assignments.  My goal was a basic one --- insure that every title used in WSUS has an cpe.... I do not care what the cpe is, I just want one /../.


Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.


-----Original Message-----
From: Ken Lassesen [mailto:[hidden email]]
Sent: Thursday, May 22, 2008 3:08 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

I'm hoping to get a CPE update submitted based on the names used in WSUS 3.0 (likely as close to MSFT official as we are likely to get) within the next week....

Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

-----Original Message-----
From: Gary Newman [mailto:[hidden email]]
Sent: Thursday, May 22, 2008 7:53 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

A google search for

        microsoft "USA Server 2004"

shows that it appears to be the Polish name for ISA Server 2004.

> re: USA Server - I am not sure about this but can do research on this.

<?xml version="1.0" encoding="UTF-8"?>
<cpe-list xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns="http://cpe.mitre.org/dictionary/2.0" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 http://nvd.nist.gov/schema/cpe-dictionary-metadata_0.2.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
  <generator>
    <product_name>Lumension Security Repository[WSUS Sourced]</product_name>
    <product_version>3.0</product_version>
    <schema_version>2.1</schema_version>
    <timestamp>2008-05-23T14:24:43Z</timestamp>
  </generator>
  <cpe-item name="cpe:/a:microsoft:windows_2003_server:cluster_pack">
    <title source="wsus3.0">Compute Cluster Pack</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:exchange">
    <title source="wsus3.0">Exchange</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:forefront_security">
    <title source="wsus3.0">Forefront</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:isa_server">
    <title source="wsus3.0">Internet Security and Acceleration Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:system_center:data_protection_manager">
    <title source="wsus3.0">Microsoft System Center Data Protection Manager</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:office">
    <title source="wsus3.0">Office</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:office:communications_server">
    <title source="wsus3.0">Office Communications Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:sdk">
    <title source="wsus3.0">SDK Components</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:sql_server">
    <title source="wsus3.0">SQL Server</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:system_center:virtual_machine_manager">
    <title source="wsus3.0">System Center Virtual Machine Manager</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:systems_management_server">
    <title source="wsus3.0">Systems Management Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:virtual_server">
    <title source="wsus3.0">Virtual Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:visual_studio">
    <title source="wsus3.0">Visual Studio</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:windows">
    <title source="wsus3.0">Windows</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:windows_live">
    <title source="wsus3.0">Windows Live</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows:small_business_server">
    <title source="wsus3.0">Windows Small Business Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:capicom">
    <title source="wsus3.0">CAPICOM</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:system_center:data_protection_manager:2006">
    <title source="wsus3.0">Data Protection Manager 2006</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:exchange_server:2000">
    <title source="wsus3.0">Exchange 2000 Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:exchange_server:2003">
    <title source="wsus3.0">Exchange Server 2003</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:exchange_server:2007">
    <title source="wsus3.0">Exchange Server 2007</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:exchange_server:2007:antispam">
    <title source="wsus3.0">Exchange Server 2007 Anti-spam</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:isa_server:firewall">
    <title source="wsus3.0">Firewall Client for ISA Server</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:forefront_security">
    <title source="wsus3.0">Forefront Client Security</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:isa_server:2006">
    <title source="wsus3.0">Internet Security and Acceleration Server 2006</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:isa_server:2009">
    <title source="wsus3.0">ISA Server codename Nitrogen,  Definition Updates for HTTP Malware Protection</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:mail:installer">
    <title source="wsus3.0">Mail Installation and Upgrades</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:virtual_server:2007">
    <title source="wsus3.0">Microsoft System Center Virtual Machine Manager 2007</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:office:2002">
    <title source="wsus3.0">Office 2002/XP</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:office:2003">
    <title source="wsus3.0">Office 2003</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:office:2007">
    <title source="wsus3.0">Office 2007</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:office_communicator:2007">
    <title source="wsus3.0">Office Communications Server 2007</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:windows_live_onecare">
    <title source="wsus3.0">OneCare Family Safety Installation</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:photo_gallery">
    <title source="wsus3.0">Photo Gallery Installation and Upgrades</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:signin_assistant">
    <title source="wsus3.0">Sign-in Assistant Installation and Upgrades</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:sql_server:2005">
    <title source="wsus3.0">SQL Server 2005</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:sql_server::feature_pack">
    <title source="wsus3.0">SQL Server Feature Pack</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:systems_management_server:2007">
    <title source="wsus3.0">System Center Configuration Management 2007</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:virtual_pc">
    <title source="wsus3.0">Virtual PC</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:visual_studio:2005">
    <title source="wsus3.0">Visual Studio 2005</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_2000">
    <title source="wsus3.0">Windows 2000</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:windows_defender">
    <title source="wsus3.0">Windows Defender</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:ie:7:dynamic_installer">
    <title source="wsus3.0">Windows Internet Explorer 7 Dynamic Installer</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:windows_live_toolbar">
    <title source="wsus3.0">Windows Live Toolbar</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:windows_media_format_dynamic_installer">
    <title source="wsus3.0">Windows Media Dynamic Installer</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_2003_server">
    <title source="wsus3.0">Windows Server 2003</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_2003_server::datacenter">
    <title source="wsus3.0">Windows Server 2003, Datacenter Edition</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_2008">
    <title source="wsus3.0">Windows Server 2008</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:small_business_server:2003">
    <title source="wsus3.0">Windows Small Business Server 2003</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:vista:ultimate:extras">
    <title source="wsus3.0">Windows Ultimate Extras</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_vista">
    <title source="wsus3.0">Windows Vista</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:vista:ultimate:language">
    <title source="wsus3.0">Windows Vista Ultimate Language Packs</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_xp">
    <title source="wsus3.0">Windows XP</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_xp::x64:2003">
    <title source="wsus3.0">Windows XP 64-Bit Edition Version 2003</title>
  </cpe-item>
  <cpe-item name="cpe:/o:microsoft:windows_xp:x64">
    <title source="wsus3.0">Windows XP x64 Edition</title>
  </cpe-item>
  <cpe-item name="cpe:/a:microsoft:writer:installation">
    <title source="wsus3.0">Writer Installation and Upgrades</title>
  </cpe-item>
</cpe-list>

One way to resolve the ambiguity would be to leave off the part type if
there isn't a clear understanding of whether it's an application or
operating system.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Ken Lassesen [mailto:[hidden email]]
Sent: Sunday, May 25, 2008 10:35 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs


Attached is my extract from WSUS 3.0 and my tentative assignments of cpes
(using existing wherever they match)...

I do have some concerns because I see some items marked as "a" application
where as the application is embedded in an OS, that is, you cannot install
it on top of an existing OS and frequently the OS has been customized for
the application.

My feeling is that if the product cannot be installed (out of the box) on
top of an existing OS then it's an OS....  comments.

Feel free to counter propose my assignments.  My goal was a basic one ---
insure that every title used in WSUS has an cpe.... I do not care what the
cpe is, I just want one /../.


Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by the
individual(s) or entity(ies) to whom it was addressed. Any unauthorized
review, use, disclosure, or distribution of this communication is strictly
prohibited. If you are not the intended recipient, please contact the sender
by reply email and permanently delete and destroy the original message.


-----Original Message-----
From: Ken Lassesen [mailto:[hidden email]]
Sent: Thursday, May 22, 2008 3:08 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

I'm hoping to get a CPE update submitted based on the names used in WSUS 3.0
(likely as close to MSFT official as we are likely to get) within the next
week....

Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by the
individual(s) or entity(ies) to whom it was addressed. Any unauthorized
review, use, disclosure, or distribution of this communication is strictly
prohibited. If you are not the intended recipient, please contact the sender
by reply email and permanently delete and destroy the original message.

-----Original Message-----
From: Gary Newman [mailto:[hidden email]]
Sent: Thursday, May 22, 2008 7:53 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

A google search for

        microsoft "USA Server 2004"

shows that it appears to be the Polish name for ISA Server 2004.

> re: USA Server - I am not sure about this but can do research on this.

I hadn't thought of using the "title" element for this purpose.  If we go
this route, I assume the convention will be to use the title with
language=en as the title to display to the user?

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Ken Lassesen [mailto:[hidden email]]
Sent: Sunday, May 25, 2008 10:35 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Mechanical Means Titles


On windows there are two ways of getting titles for multiply products:
* WSUS 3.0 Server Entry
* WMI name

We currently support language in <title>, I would like to propose adding

<title source="wsus">
<title source="wmi">

(and others as they are discovered). This will apply only to mechanical
sources that:
* identify MULTIPLE PRODUCTS

In some cases, these may need language...

Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by the
individual(s) or entity(ies) to whom it was addressed. Any unauthorized
review, use, disclosure, or distribution of this communication is strictly
prohibited. If you are not the intended recipient, please contact the sender
by reply email and permanently delete and destroy the original message.

>I do have some concerns because I see some items marked as "a"
>application where as the application is embedded in an OS, that is,
you
>cannot install it on top of an existing OS and frequently the OS has
>been customized for the application.
>
>My feeling is that if the product cannot be installed (out of the box)
>on top of an existing OS then it's an OS....  comments.

In the past we have always treated these components as applications,
even if they were not available outside the OS.  They were thought of
as a bundled application.  The OS tag was reserved for the name related
to the base OS and not the components themselves.

If the desire is to switch this behavior we can do so in a future
version, but I personally think the current approach is cleaner.  In a
sense, everything is an application except the core operating system.

Are there additional thoughts on this?

Thanks
Drew

>One way to resolve the ambiguity would be to leave off the part type
if
>there isn't a clear understanding of whether it's an application or
>operating system.

This topic was brought up as CPE Developer Days.  Technically there
would not be an issue with removing the part as it is extremely rare
that vendor/product names are the same for an OS, Application, or piece
of hardware.  So the names would still be unique, which is the ultimate
goal.  But the community also felt that any benefit was not worth the
changes that must be made to the spec.  In addition, have the part
component does allow additional names to be created that might be
useful in the future.  For example, have the part component allows a
name for 'all operating systems from Cisco'.

Is there a desire to reopen this discussion within the community?

Thanks
Drew

One of the take-aways from CPE Developer Days was to look into relating
multiple keywords (or in this case known titles) to a given CPE Name.
This could be done via tagging, an additional metadata field, etc.  The
hope was leave <title> as is and keep it as the vendor endorsed title
for the platform type.  I'd like to have this discussion within the
community and will start up a new thread to have it.

For now I would look at using the <xsd:any> section as a place to add
this information until a more formal approach can be implemented.

Thanks
Drew
adding
>
><title source="wsus">
><title source="wmi">
>
>(and others as they are discovered). This will apply only to
mechanical by
>the
>individual(s) or entity(ies) to whom it was addressed. Any
unauthorized
>review, use, disclosure, or distribution of this communication is
>strictly
>prohibited. If you are not the intended recipient, please contact the
>sender
>by reply email and permanently delete and destroy the original
message.

So, with VISTA, VISTA-BASIC would be the OS, VISTA=Busniess, Vista-Ultimate would be applications?

That is where the approach seem to lead

Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, May 27, 2008 6:33 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

>I do have some concerns because I see some items marked as "a"
>application where as the application is embedded in an OS, that is,
you
>cannot install it on top of an existing OS and frequently the OS has
>been customized for the application.
>
>My feeling is that if the product cannot be installed (out of the box)
>on top of an existing OS then it's an OS....  comments.

In the past we have always treated these components as applications,
even if they were not available outside the OS.  They were thought of
as a bundled application.  The OS tag was reserved for the name related
to the base OS and not the components themselves.

If the desire is to switch this behavior we can do so in a future
version, but I personally think the current approach is cleaner.  In a
sense, everything is an application except the core operating system.

Are there additional thoughts on this?

Thanks
Drew

>So, with VISTA, VISTA-BASIC would be the OS, VISTA=Busniess, Vista-
>Ultimate would be applications?

I would have thought that 'home_basic' and 'business' are editions of
Vista.  So ...

cpe:/o:microsoft:windows_vista:::home_basic
cpe:/o:microsoft:windows_vista:::home_premium
cpe:/o:microsoft:windows_vista:::business
cpe:/o:microsoft:windows_vista:::enterprise
cpe:/o:microsoft:windows_vista:::ultimate

If you want a name for a specific component of these editions, then
that component name would be an application name.  For example:

cpe:/a:microsoft:network_monitor

Thanks
Drew

[This is a rhetorical thread trying to get philosophical clarity]

The catch is that the differences are really "add-on", you get the core PLUS some add on components (in many cases, you could buy 3rd applications with the equivalent functionality)... so the question is where do we swing the sword at this knot?

Example: Business = Home Premimum  + BACKUP SOFTWARE + REMOTE ACCESS  - MEDIA CENTER Features.

The change is strictly one of applications that becomes bundled. So does this means Windows with IE7 and Windows without IE7 (i.e. EU Edition) are two different OS?

My suggestion is that any product or product bundling that cannot be installed on top of an existing operating system is an operating system. If it can be installed on top of an existing operating system it is an application.

By Operating System, I mean something that enables physical hardware or virtual hardware.




Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, May 27, 2008 8:15 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

>So, with VISTA, VISTA-BASIC would be the OS, VISTA=Busniess, Vista-
>Ultimate would be applications?

I would have thought that 'home_basic' and 'business' are editions of
Vista.  So ...

cpe:/o:microsoft:windows_vista:::home_basic
cpe:/o:microsoft:windows_vista:::home_premium
cpe:/o:microsoft:windows_vista:::business
cpe:/o:microsoft:windows_vista:::enterprise
cpe:/o:microsoft:windows_vista:::ultimate

If you want a name for a specific component of these editions, then
that component name would be an application name.  For example:

cpe:/a:microsoft:network_monitor

Thanks
Drew

Additionally, it is possible to disable/remove the bundled applications in question, resulting in the possible use of a CPE that may not actually represent the actual state of the running OS.  I know that in Vista Ultimate, some features are available for me to activate, but aren't actually installed.  So what edition of Vista am I actually using since I can't be sure by reading what is on the box?


--
John Banghart, CISSP
Associate
Booz | Allen | Hamilton
Tel (703) 377-5040
[hidden email]


-----Original Message-----
From: Ken Lassesen [mailto:[hidden email]]
Sent: Tuesday, May 27, 2008 11:40 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

[This is a rhetorical thread trying to get philosophical clarity]

The catch is that the differences are really "add-on", you get the core PLUS some add on components (in many cases, you could buy 3rd applications with the equivalent functionality)... so the question is where do we swing the sword at this knot?

Example: Business = Home Premimum  + BACKUP SOFTWARE + REMOTE ACCESS  - MEDIA CENTER Features.

The change is strictly one of applications that becomes bundled. So does this means Windows with IE7 and Windows without IE7 (i.e. EU Edition) are two different OS?

My suggestion is that any product or product bundling that cannot be installed on top of an existing operating system is an operating system. If it can be installed on top of an existing operating system it is an application.

By Operating System, I mean something that enables physical hardware or virtual hardware.




Ken Lassesen,
Home/Office: 360-724-3190 Fax: 952-516-5077
Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email]  http://www.linkedin.com/in/lassesen 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, May 27, 2008 8:15 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs

>So, with VISTA, VISTA-BASIC would be the OS, VISTA=Busniess, Vista-
>Ultimate would be applications?

I would have thought that 'home_basic' and 'business' are editions of
Vista.  So ...

cpe:/o:microsoft:windows_vista:::home_basic
cpe:/o:microsoft:windows_vista:::home_premium
cpe:/o:microsoft:windows_vista:::business
cpe:/o:microsoft:windows_vista:::enterprise
cpe:/o:microsoft:windows_vista:::ultimate

If you want a name for a specific component of these editions, then
that component name would be an application name.  For example:

cpe:/a:microsoft:network_monitor

Thanks
Drew

I'm not suggesting removing the part type from the specification.  It's
already optional.  I'm suggesting removing it from the assigned CPE name.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, May 27, 2008 9:37 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs


>One way to resolve the ambiguity would be to leave off the part type
if
>there isn't a clear understanding of whether it's an application or
>operating system.

This topic was brought up as CPE Developer Days.  Technically there
would not be an issue with removing the part as it is extremely rare
that vendor/product names are the same for an OS, Application, or piece
of hardware.  So the names would still be unique, which is the ultimate
goal.  But the community also felt that any benefit was not worth the
changes that must be made to the spec.  In addition, have the part
component does allow additional names to be created that might be
useful in the future.  For example, have the part component allows a
name for 'all operating systems from Cisco'.

Is there a desire to reopen this discussion within the community?

Thanks
Drew

Good point.  I see what you are saying.  A name created using this
approach would match any Vendor:Product regardless of whether it is an
OS or an App.  Since it is rare that an OS and an Application would
have the same Vendor:Product then the CPE Name would almost always
match the intended platforms.

I think I like this suggestion.  What do others think?  Would this be a
good way of handling those cases where it is arbitrary whether
something is an OS or an App?

Thanks
Drew



>-----Original Message-----
>From: Wolfkiel, Joseph [mailto:[hidden email]]
>Sent: Wednesday, May 28, 2008 10:31 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Missing CPEs
>
>I'm not suggesting removing the part type from the specification.
It's piece
>of hardware.  So the names would still be unique, which is the
ultimate